this post was submitted on 06 Feb 2024
182 points (99.5% liked)

Selfhosted

40296 readers
322 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
182
What are the most paranoid network/OS security measures you've implemented in your homelab? (lemmy.world)
submitted 9 months ago by MigratingtoLemmy@lemmy.world to c/selfhosted@lemmy.world
132 comments fedilink hide all child comments
 

As the title says, I want to know the most paranoid security measures you've implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I'm wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] Pika@sh.itjust.works 27 points 9 months ago* (last edited 9 months ago) (4 children)

My security is fairly simplistic but I'm happy with it

  • software protection

    • fail2ban with low warning hold
    • cert based login for ssh (no password Auth)
    • Honeypot on all common port numbers, which if pinged leads to a permanent IP ban
    • drop all firewall
    • PSAD for intrusion/scanning protection (so many Russian scanners... lol)
    • wireguard for VPN to access local virtual machines and resources
    • external VPN with nordVPN for secure containers (yes I know nord is questionable I plan to swap when my sub runs out)

  • physical protection

    • luksCrypt on the sensitive Data/program Drive ( I know there's some security concerns with luksCrypt bite me)
    • grub and bios locked with password
    • UPS set to auto notify on power outage
    • router with keep alive warning system that pings my phone if the lab goes offline and provides fallback dns

  • things I've thought about:

    • a mock recovery partition entry that will nuke the Luks headers on entry (to prevent potential exploit getting through grub)
    • removing super user access completely outside of local user access
[–] IlIllIIIllIlIlIIlI@lemmy.world 3 points 9 months ago

What honeypot are you using?

load more comments (3 replies)